The lethal trifecta for AI agents
The single most important security idea for anyone deploying agents.
Open simonwillison.net →The core risk is Simon Willison's lethal trifecta: an agent that can read your private data, sees untrusted content (any email or web page), and can communicate externally can be tricked by a poisoned message into leaking or destroying things, with no bug in your code required. Prompt injection remains unsolved, so design around it: give agents the minimum access needed, never combine all three capabilities in one agent, require human approval for anything that sends, spends or deletes, and log everything.
A quick orientation. The real value is below: resources worth your time, from people who've actually done it.
The single most important security idea for anyone deploying agents.
Open simonwillison.net →The same argument in shareable form for your team channel.
Open simonw.substack.com →The full running history of the attack class, from the person who named it.
Open simonwillison.net →The foundational explainer that makes the attack click in 15 minutes.
Open simonw.substack.com →Fresh real-world exploits showing this is not theoretical.
Open simonw.substack.com →The industry-standard checklist, free and framework-agnostic.
Open cheatsheetseries.owasp.org →Translates the OWASP list into concrete actions for small teams.
Open goteleport.com →Security researchers show working attacks and layered defenses.
Open hiddenlayer.com →Frames the fix as an authorization problem, which is what it is.
Open osohq.com →The enterprise-buyer view, useful when their security team reviews your agent.
Open techtarget.com →Argues you cannot prompt your way to safety; the architecture must enforce it.
Open cyera.com →A copyable taint-tracking and approval-gating pattern for your own build.
Open github.com →A calm engineering-management view of guardrails and human-in-the-loop.
Open infoworld.com →How a major platform maps each OWASP risk to concrete mitigations.
Open microsoft.com →Why the industry still has no robust fix, straight from the source.
Watch on YouTube youtube.com →A current-year synthesis tying the main threats to a defense stack.
Open airia.com →